package com.myshiro.config;

import com.myshiro.pojo.SysRight;
import com.myshiro.pojo.SysUser;
import com.myshiro.service.SysUserService;
import com.myshiro.utils.Constants;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;

import javax.annotation.Resource;
import java.util.List;

public class MyShiroRealm extends AuthorizingRealm {

    @Resource
    SysUserService userService;

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        System.out.println("获取<<身份信息/从token中取到账号和密码>>...............");
        UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
        //调用service验证账密
        SysUser sysUser = userService.login(token.getUsername());

        if (null==sysUser) throw new UnknownAccountException("账户不存在");

        if (null==sysUser.getUsrFlag() || sysUser.getUsrFlag().intValue()==0)
            throw new LockedAccountException("账户被锁定");

        //principal
        SimpleAuthenticationInfo info =new SimpleAuthenticationInfo(sysUser
                                            ,sysUser.getUsrPassword() //把密码交给了shiro的Authentication去处理
                                            ,ByteSource.Util.bytes(Constants.salt)//把盐给shiro
                                            ,getName()
        );
        return info;
    }
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        System.out.println("------获取<<权限信息>>...............");
        SysUser sysUser = (SysUser) principals.getPrimaryPrincipal();//获取主体信息


        SimpleAuthorizationInfo zinfo =new SimpleAuthorizationInfo();

        //动态授权
        //① zinfo.addRole("管理员")  --> 得到当前登录用户的角色
        //② zinfo.addStringPermission("user:add");   --> 根据当前的角色信息,去获取该角色下拥有的权限列表

         /*zinfo.addRole("管理员");
            zinfo.addStringPermission("user:list"); //所有的人都可以看列表

            System.out.println("--------------sysUser.getUsrRoleId():   "+sysUser.getUsrRoleId());

            if (1==sysUser.getRole().getRoleId()){ //管理员
                zinfo.addStringPermission("user:add");
                zinfo.addStringPermission("user:update");
            }else{  //非管理员
                zinfo.addStringPermission("L0501"); //sysRight 表的 right_code
        }*/
        //静态授权
        //模拟数据库中的数据
        //登录的时候查的是user表的全部数据 ,只有usr_id  role_id 没有roleName

        //假设系统中一共有200个权限, 当前登录的用户,是个客户经理,只有其中的60个
        //动态授权
        //从loginController得到登录用户的主体/role/rights
        zinfo.addRole(sysUser.getRole().getRoleName());//zinfo.addRole("管理员");
        // zinfo.addStringPermission("L0501"); 加入数据库中的权限
        List<SysRight> rights = sysUser.getRole().getRights();
        rights.forEach(sysRight -> zinfo.addStringPermission(sysRight.getRightCode()));

        return zinfo;
    }


}
